ConfigMgr 2007

This is more of a remember this for my self then probably in general, as this is a problem that we don’t run into that much. Only for me it was the second time already, but I couldn’t directly remember anymore what the problem was. So this post will be more of a reminder for the eventually next time…

Also this will be a short post as it will just describe the problem we ran into with my current customer and what the solution was. The problem we ran into was that after we deployed a new machine we could advertise software to it, but the installation would never start. Looking into the execmgr.log we could see the following message: “This program cannot run because a reboot is in progress or software distribution is paused.”.

Well, the solution for this was actually quit simple, just the searching for it took a while… Looking into the registry we could see that the Software Distribution-State-Paused-key was set to 1 and changing this back to 0 resolved the problem. This key can be found in the following location:

We’re still not quite sure what caused this problem, but it seems to be something with ending a Task Sequence with a restart. After resolving the issue we found some other people with the same issue here and they are also guessing and linking it to the last step of the Task Sequence.

I’m not sure if this is going to be a ‘remember this’ –series, but at least in this case it fits really good. We all know it, but sometimes we need a refreshment.

We all know those scenario’s where we send an Advertisement to a Collection of clients and for some reason we may want to rerun the Advertisement for only one (or more) specific client(s). In this case we can use the general rerun options of an Advertisement (like always rerun), but they will affect all clients in the collection and won’t work for user-targeted Advertisements. So what’s left in this case? Well the option I like the most is that there is a registry change that we can make to trick the Advertisement to run again. When we look at a client’s registry, we will see the following the following registry key (depending on the architecture).

As this key is located in the HKEY_LOCAL_MACHINE, it can also be found by opening regedit and then make a connection with a remote client. Under System we will find the PackageID of each Package that has previously run. When we now delete the PackageID, for the Program that we want to rerun, it will trigger the Program to run again (during the next evaluation) even though it already completed successfully.

To find the PackageID that we need we can open the Configuration Manager Console and select the Packages –node (under Site Database > Computer Management > Software Distribution). In the overview there will be a list of all the packages with the corresponding PackageID.

This time I want to devote a post to a situation I haven’t been in that often. The customer was migrating from Windows XP to Windows 7, well.. nothing special here, but also migrating from local profiles to (partially) redirected profiles, well.. that’s a challenge. So to capture the userdata AND -settings we had to come up with something special. Of course we could do some things with scripting, but the biggest challenge was the fact that the new (partially redirected) profile location was only available after the first logon to Windows 7.

With this information I started thinking about USMT 4.0 again. Most often you use this to migrate on a computer basis, but we made an exception on this. We came up with the following five steps that should do the trick:

(On Windows XP) A batch file that kicks of Scanstate. Nothing special here, just used /uel:1 or /uel:0 to get the user profile we need (0=Logged on user, 1=Modified accounts last 24 hours).

(On Windows XP) A batch file that copies the captured data and settings to the users share on the network.

(On Windows 7) A batch file that copies the captured data and settings back to a local drive.

(On Windows 7) A batch file that kicks of Loadstate. Nothing special here, just used /ue to exclude some possible captured local/ admin account.

(On Windows 7) A batch file that copies the last bits of data straight in to the redirected profile.

The important part is something a didn’t mention yet. In the migration XML files there is the possibility to copy data to an alternative location and that’s what we used for the parts of the profile that would get redirected. The reason for that is simple, because the SYSTEM account has no security rights to write something to there, as it is a network location. Here is a sample of the part we added to the migration XML files:

This specific part would copy the desktop items to C:\Temp\Desktop instead of the desktop location in the (redirected) profile. Also important to note is that, in this case, all the copy actions have to run with user rights, as it’s all copied to the users directory.

This week Microsoft released Forefront Endpoint Protection (FEP) 2010 Update Rollup 1 (including some extra tools). The tools update included some extra policies and also a Definition Update Automation Tool. Together with this, there was also an article published about Definition Update Automation with Configuration Manager.

Personally I don’t like the idea of creating a new Task with the Windows Task Scheduler, while we’ve got Status Filter Rules within ConfigMgr. With these rules we can make a “connection” between the scheduled synchronization of the Software Update Point (SUP) and the start of the Definition Update Automation Tool. Otherwise the tool might run while there hasn’t been a new synchronization of the SUP. To prevent this, I will show in this post how to create the Status Filter Rule.

Open the fepsuasetup.cab file and copy SoftwareUpdateAutomation.exe to <Installationdirectory>\AdminUI\bin

In the ConfigMgr Console browse to Site Database > Site Management > <Sitename> > Site Settings > Status Filter Rules and select New Status Filter Rule in the Actions pane.

On the General page, fill in a Name, select as SourceConfigMgrServer, select as ComponentSMS_WSUS_SYNC_MANAGER, fill in as Message ID6702 and click Next.

This makes sure that every time the SMS_WSUS_SYNC_MANAGER is DONE this action (which we configure in the next step) will start.

On the Actions page, select Run a Program, fill in as commandline “<Installationdirectory>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName <DeploymentName> /PackageName <PackageName> and click Next.

This time I want to devote a post to some of the best informational links about Forefront Endpoint Protection (FEP) 2010 (and its integration with ConfigMgr 2007). These links can make it a lot easier to plan, scale, install, manage and troubleshoot your ConfigMgr 2007 with FEP 2010 integrated -environment.

FEP 2010 TechNet Library – This link provides all the information available in the Microsoft TechNet Library about FEP 2010. It includes planning, scaling, installing and managing a FEP 2010 –environment, with or without ConfigMgr 2007. Link: http://technet.microsoft.com/en-us/library/ff823816.aspx

Deploying the FEP 2010 Client via Disk Images – Even though this link is a part of the FEP 2010 TechNet Library, it is good to specifically name it. This link provides some registry keys which should be deleted when adding the FEP 2010 Client to an image. Link: http://technet.microsoft.com/en-us/library/gg193355.aspx

For those who didn’t read it on Twitter, Facebook or mail yet, MDT 2012 B1 is available for download! Some of the best things that are mentioned in the release notes, are that it supports ConfigMgr 2012 B2 and also still supports ConfigMgr 2007 SP2! Besides that it also supports the deployment of ALL operating systems from Windows XP and Windows Server 2003 until now. So it only delivers extra’s! For more information, read here the mail of Microsoft Connect:

Thanks for your ongoing interest and participation in the MDT beta review program. We hope you’ll take the time to preview and provide feedback on MDT 2012 Beta 1.

Microsoft Deployment Toolkit (MDT) 2012 Beta 1 rides the next wave of System Center releases with support for System Center Configuration Manager 2012. For Lite Touch installations, MDT 2012 improves the overall client-side user experience, while also providing behind-the-scenes enhancements for partitioning, UEFI, and user state migration. These features, combined with many small enhancements, bug fixes, and a smooth and simple upgrade process, make MDT 2012 Beta 1 more reliable and flexible than ever.

Tell us what you think!We value your input. Download the beta on Connect and tell us what you think!Please submit your feedback through Connect and direct any support questions you may have to satfdbk@microsoft.com.

AvailabilityThis program is now open. The beta review period will run through August 2011.

MDT works with the Microsoft Assessment and Planning Toolkit and Security Compliance Manager to help you plan, securely deploy, and manage new Microsoft technologies—easier, faster, and at less cost. Learn more at http://www.microsoft.com/solutionaccelerators.

Thank you for your interest in the development of MDT. We look forward to receiving your feedback!

This blog post is going to be a short explanation about why the Asset Intelligence (AI) Reports are not showing the correct data after an upgrade to ConfigMgr 2007 SP2. The cause of not showing data was actually more logic then I first thought. One of the items on the checklist for an upgrade (http://technet.microsoft.com/en-us/library/ee344152.aspx) is the following:

If you have customized the default SMS_def.mof hardware inventory reporting file, you must create a backup of this file before upgrading the site. When upgrading a site, customizations made to the existing SMS_def.mof file will be overwritten.

Maybe this still doesn’t make sense, but it will after the following piece of history about enabling AI in ConfigMgr 2007. In the ConfigMgr 2007 RTM version AI had to be enabled by manually editting the SMS_def.mof. This got renewed in ConfigMgr 2007 SP1 by adding the Asset Intelligence Reporting Class Settings dialog box, BUT these settings are still written in the SMS_def.mof.

So the combination of these two point mean that after the upgrade to ConfigMgr 2007 SP2, the AI settings have to be re-enabled. This can be done through the Asset Intelligence Reporting Class Settings dialog box by reselecting the needed items, or by manually editing the SMS_def.mof.

In a previous post I showed a script to remove a computer from a collection. This post will be an add-on to that previous post. As we are removing the computer from the collection anyway, we can as well perform a Clear Last PXE Advertisement –action. By doing this, it’s not necessary to perform a manual action the next time the computer needs to be re-imaged.

An easy way to do this is to run a script at the end of a Task Sequence that will clear the last PXE Advertisement. This makes sure that a computer can get re-imaged as soon it gets added to the correct collection. For this you can use the script from this post.

The usage of this script is cscript <ScriptName>.vbs /ComputerName:[ComputerName]. Keep in mind that it needs to be run with an account that has enough rights in ConfigMgr. See also this picture for an example.

‘====================================
‘ Function to RETURN a Connection to the SMS Provider
‘====================================
Function ConnectToSMSProvider(ServerName)
Set objSWbemLocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objSWbemServices = objSWbemLocator.ConnectServer(ServerName, “root\sms”)
Set ProviderLocation = objSWbemServices.InstancesOf(“SMS_ProviderLocation”)
For Each Location In ProviderLocation
If Location.ProviderForLocalSite = True Then
Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, “root\sms\site_” + Location.SiteCode)
Set ConnectToSMSProvider = objSWbemServices
End If
Next
End Function

‘====================================
‘ Function to RETURN a ResourceID by a ComputerName
‘====================================
Function GetResourceID(Connection, ComputerName)
Set colResourceID = Connection.ExecQuery(“Select ResourceID from SMS_R_System where Name = ‘” & ComputerName & “‘”)
For Each objResourceID in colResourceID
GetResourceID = objResourceID.ResourceID
Next
End Function

Let’s start this post with a simple question. What’s the reason why the new version of Microsoft’s Forefront Endpoint Protection (FEP) 2010 is so kewl? Well, it’s the same reason why I’m blogging about it, it’s because it fully integrates with ConfigMgr 2007! In this post I will go through the installation and the integration of FEP 2010 with ConfigMgr 2007 in three parts.

(PART 1) Integration with ConfigMgr 2007 – How to install

For the installation I will go through a Basic topology installation and its prerequisites (the installation has to be performed on a Central/ Primary Site server).

On the Installation Location page, specify the folder for installation, and click Next.

On the Prerequisites Verification page, click Next.

On the Setup Summary page, click Install.

On the Installation page, click Next.

On the Installation Complete page, click Finish.

(PART 2) Integration with ConfigMgr 2007 – How does it look

After the successful installation of FEP 2010, it’s time to take a closer look at how it’s integrated with ConfigMgr 2007. For this I will create a list with all the changes/ add-ons to the ConfigMgr Console that are created during the installation of FEP.

FEP Operations are added to right-click menu, and Actions pane for computer objects

(PART 3) Integration with ConfigMgr 2007 – How does it work

Now we know how FEP is installed and what it all creates during the installation, let’s take a look at how it all works together. This part is not about all the possibly different settings, but about how/ when it gets called in ConfigMgr 2007.

Client Deployment
For the deployment of the FEP client, the Microsoft Corporation FEP – Deployment 1.0 –package can be used. This package contains a script that also will make sure that any of the following previously installed antimalware clients will be uninstalled:

Symantec Endpoint Protection version 11

Symantec Corporate Edition version 10

McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent

Forefront Client Security version 1 and the Operations Manager agent

TrendMicro OfficeScan version 8 and version 10

Client Policies
For the policy deployment to the FEP client, the Microsoft Corporation FEP – Policies 1.0 –package will be used. By default the already existing advertisement of Assign FEP policy Default Desktop Policy and Assign FEP policy Default Server Policy are used for this. This package contains a script that will make sure that policy changes, that are made through the console (and saved in XML), get updated on the clients. For this the Deployed Desktops and Deployed Servers –collections are used.

Client Operations
For the execution of the FEP client actions, the Microsoft Corporation FEP – Operations 1.0 –package will be used. This action can be performed via the right-click menu, and the Actions pane for computer objects. After this the computer object gets populated in the Operations –collection and the script (of this package) gets assigned to the collection.

Client Health
For the client health the FEP Dashboard (see picture) can be used. This dashboard shows an overview of Deployment Status, Policy Distribution Status, Definition Status, Protection Status, Security Status and Forefront Endpoint Protection Baselines. The statuses are based on the memberships of the FEP * Status –collections. So indirect the membership –queries of these collections make sure what the dashboard shows.

Client Updates
For the client updates it’s still possible to use an Auto-Approval rule for Definitions Updates in WSUS.

I have to admit that it’s just really easy/ handy to create scripts to make life a bit easier. This also counts for this scenario… A customer wants to prevent, at all costs, that a computer can’t get re-imaged “by accident”. It already happened a few times that somebody by accident did a Clear Last PXE Advertisement on a Computer, or even on a Collection.

An easy solution for this scenario is to run a script at the end of a Task Sequence that will remove the Computer directly from the Collection. This makes sure that a computer can’t get re-imaged, as it’s not a member of the collection anymore. For this you can use the script from this post.

The usage of this script is cscript <ScriptName>.vbs /CollectionID:[CollectionID] /ComputerName:[ComputerName]. Keep in mind that it needs to be run with an account that has enough rights in ConfigMgr. See also this picture for an example.

Set objCollection = objSWbemServices.Get(“SMS_Collection='” & sCollectionID & “‘”)
colRuleSet = objCollection.CollectionRules
For Each Rule In colRuleSet
If Rule.Path_.Class = “SMS_CollectionRuleDirect” Then
If LCase(Trim(Rule.RuleName)) = LCase(Trim(sComputerName)) Then
objCollection.DeleteMembershipRule Rule
Wscript.Echo “Succesfully removed ” & sComputerName & ” from collection: ” & sCollectionID
End If
End If
Next

‘=============================
‘ Sub Routine to Connect to the SMS Provider
‘=============================
Sub ConnectToSMSProvider(SiteServerName)
Set objSWbemLocator = CreateObject(“WbemScripting.SWbemLocator”)
Set objSWbemServices = objSWbemLocator.ConnectServer(SiteServerName, “root\sms”)
Set ProviderLocation = objSWbemServices.InstancesOf(“SMS_ProviderLocation”)
For Each Location In ProviderLocation
If Location.ProviderForLocalSite = True Then
Set objSWbemServices = objSWbemLocator.ConnectServer(Location.Machine, “root\sms\site_” + Location.SiteCode)
End If
Next
End Sub

Award

Subscribe to updates

About

I’m Peter van der Woude, born in 1983 and I’m living together with my wife and two sons in the Netherlands.

Currently I work for KPN Consulting. At this moment my main focus is Enterprise Client Management via Microsoft Intune and/ or System Center Configuration Manager (ConfigMgr 2007/ 2012/ CB) and I love it!